Configure two vLCs in a high availability Azure environment

Two virtual log collectors can be configured in a high availability environment in Azure using a Network Load Balancer to reduce the risk of data loss. In this configuration, both log collector nodes are actively collecting data and are in the Azure environment.

Note: After you configure high availability, syslog still listens on both the log collector management IP address and the network load balancer IP address.

These resources are required:

Deploy a network load balancer

  1. Sign in to Microsoft Azure.
  2. In the search box, enter Load balancer, and then select Load balancers in the search results.
  3. On the Load balancers page, click + Create.
  4. On the Basics tab, configure these settings:
    • Subscription — Select your subscription.
    • Resource Group — Select your resource group.
    • Name — Enter a name for the load balancer. For example, nlb.
    • Region — Select a region.
    • SKU — Select Standard.
    • Type — Select Internal.
  5. On the Frontend IP configuration tab, click + Add frontend IP configuration, and then configure these settings:
    • Virtual network — Select the same virtual network as your vLCs.
    • Subnet — Select the subnet.
    • Assignment — Select Static.
    • IP address — Enter a valid IP address.
    • Availability zone — Select the Availability zone.
  6. Click OK, and then click Add.
  7. Click Next.
  8. On the Backend Pools tab, click + Add a backend pool, and then do these actions:
    1. Configure these settings:
      • Name — Enter a name.
      • Backend pool configuration — Select NIC.
    2. In the IP configurations section, click + Add.
    3. On the Add IP configuration to backend pool page, select both vLCs.
    4. Click Add.
  9. On the Inbound rules tab, in the Load balancing rule section, click + Add a load balancing rule.
  10. Configure these settings:
    • Name — Enter a name, for example inbound_rule.
    • IP Version — Select IPv4.
    • Frontend IP address — Enter the frontend IP that you created earlier.
    • Backend pool — Enter the backend pool that you created earlier.
    • High availability ports — Select the checkbox.
    • In the Health probe section, click Create new.
      1. Configure these settings
        • Name — Enter a name.
        • Protocol — Select TCP
        • Port — Enter 514.
        • Interval — Enter 5.
      2. Click Save.
    • Session persistence — Select Client IP.
  11. Click Save.

Configure log sources to send logs to the NLB

  1. Locate the IP address entered in Load balancers > Frontend IP configuration > IP address.
  2. Configure syslog forwarding on your log sources to send log data to the IP address of the Azure NLB.
    Note: If you use AD Sensor and NXLog, we recommend reconfiguring them to send log data to the IP address of the Azure NLB. Contact your CST for assistance.
    After you have completed the high availability configuration, contact your Arctic Wolf Concierge Security® Team (CST) to confirm that configuration was successful.